Instead, the health insurer agreed to a $1.5 million settlement with the Office for Civil Rights (OCR) over potential HIPAA security violations and spent another $17 million in breach response costs.

On March 13, BCBST and the OCR, the government’s HIPAA privacy and security enforcer, reached the second largest financial settlement of its kind, behind CVS Caremark’s $2.25 million price tag a little more than three years ago.

The agreement also requires BCBST to update its HIPAA compliance policies and procedures, obtain OCR approval on all policy changes, and conduct unannounced random audits of its own employees.

*MAGNET™, MAGNET RECOGNITION PROGRAM®, and ANCC MAGNET RECOGNITION® are trademarks of the American Nurses Credentialing Center (ANCC). The products and services of HCPro are neither sponsored nor endorsed by the ANCC. The acronym "MRP" is not a trademark of HCPro or its parent company.